Setting up the Calico CLI

The Calico command line tool, calicoctl, is used to manage Calico networks and security policies.

These steps must be run inside your IBM® Cloud Private cluster on a master, worker, or proxy node.

You can also follow these steps if you are setting up calicoctl from a remote workstation that is outside the IBM Cloud Private environment.

To set up the Calico command line, complete the following steps:

  1. Extract the calicoctl executable binary.

    • For Linux® x86_64, run the following command:

      docker run -t --rm -e LICENSE=accept -v $(pwd):/data ibmcom/icp-inception-amd64:3.1.0-ee cp /usr/local/bin/calicoctl /data

    • For Linux® on Power® (ppc64le), run the following command:

      docker run -t --rm -e LICENSE=accept -v $(pwd):/data ibmcom/icp-inception-ppc64le:3.1.0-ee cp /usr/local/bin/calicoctl /data

  2. Add the calicoctl executable binary file to your $PATH. To add the executable binary file to your $PATH, you can copy the executable binary file to the /usr/local/bin/ directory.

  3. If you are setting up calicoctl from a remote workstation, copy the following files from the master node to your workstation:

    • /etc/cfc/conf/etcd/ca.pem
    • /etc/cfc/conf/etcd/client-key.pem
    • /etc/cfc/conf/etcd/client.pem

  4. Configure calicoctl to use the etcdv3 datastore. Use the same cluster_name that is in the config.yaml file on the boot node.

    • Export the certificate file:

      export ETCD_CERT_FILE=/etc/cfc/conf/etcd/client.pem

    • Export the CA certificate file:

      export ETCD_CA_CERT_FILE=/etc/cfc/conf/etcd/ca.pem

    • Export the key file:

      export ETCD_KEY_FILE=/etc/cfc/conf/etcd/client-key.pem

    • Export the CA domain:

      export ETCD_ENDPOINTS=https://<cluster_CA_domain>:4001

      Where <cluster_CA_domain> is the certificate authority (CA) domain that was set in the config.yaml file during installation.

      Note: To retain the environment variable values between sessions, you can add them to a script, such as .bashrc. See the following example. You must copy the script to all the nodes on which you want to run the Calico CLI commands.

       #!/bin/sh
 export ETCD_CERT_FILE=/etc/cfc/conf/etcd/client.pem
 export ETCD_CA_CERT_FILE=/etc/cfc/conf/etcd/ca.pem
 export ETCD_KEY_FILE=/etc/cfc/conf/etcd/client-key.pem
 export ETCD_ENDPOINTS=https://<cluster_CA_domain>:4001

      For more information about configuring calicoctl with etcdv3 datastore, see https://docs.projectcalico.org/v3.1/usage/calicoctl/configure/etcd Opens in a new tab.

  5. Use the Calico command line. To get started with the Calico command line, see https://docs.projectcalico.org/v3.1/reference/calicoctl/commands/ Opens in a new tab.